This is great news. The old implementation was a little scary, they had a full JavaScript parsing engine (and other similar parsers) running as SYSTEM. You can get a sense of it via this Project Zero bug report:
That specific bug and others were of course fixed.
The issue is that such complex code is hard to write well in the language they're using, and running as SYSTEM is just asking for a zero day take over from simply visiting a site with a malicious file or an unread email.
I hope other AV vendors follow suit on the component sandboxing. They're scanning untrusted files, who will happily try to crash or take-over the AV process itself.
Press releases are glorified advertisements. Please post something more substantive instead. Even release notes or change logs are better. An actual review like the really awesome in-depth Mac OS X reviews of yore would be even better.
I'd much rather read a glorified advertisement than a news article regurgitating various portions of the glorified advertisement, interspersed with a bunch of filler, ads, and background information I already know.
More interesting question: Why would bleepingcomputer.com be upvoted more than cloudblogs.microsoft.com?
I have to say that the latter says to me: "Go to sleep," but the first says "Hey this is interesting". Plus, the article in the first has pictures. The headline is punchier too:
* "Microsoft Sandboxes Windows Defender" (bleepingcomputer.com)
* "Windows Defender Antivirus can now run in a sandbox" (cloudblogs.microsoft.com)
I know that sandboxing is desirable here, but it runs as SYSTEM. How do you sandbox something running as SYSTEM? They must have changed the identity of Defender. That's all I can come up with. Anyone else know how this works?
I can't speak to the exact implementation here, but you can just run specific components as system, and then the dangerous stuff (parsers, decompression, possibly emulation) as unprivileged.
I believe it runs with even higher privileges than SYSTEM --- a while ago I had to deal with an unresponsive and 100%-CPU-consuming scanner process, which I tried to kill it from a command prompt running as SYSTEM, and it still said "access denied".
I know the reasoning is "if SYSTEM can kill it then so can malware", but still a bit unsettling that there's processes running on your system that even the owner doesn't have privilege to control.
The windows defender service only gives full control to TrustedInstaller (e.g. for Windows update) and WinDefend. However, SYSTEM can impersonate TrustedInstaller. Maybe this will change in the future but as of now it doesn't block malware unless the author didn't know what they were doing.
IMHO, it's wrong to say that TrustedInstaller and WinDefend have "higher privileges" to SYSTEM as that is only true for specific files/executables and in most of those cases SYSTEM can take direct control even without impersonating them.
the sandbox runs as system and redirects things where it allows by its policy, catchign all the lower privelege requests and where allowed converting them to requests to the lower system. So now you just have to exploit the sandbox process instead of the av process. i'm sure someone will do it sooner than later :')... it always ends in tears these things.
There's a reason for defender even with a sandboxed app. Exploiting the sandboxed app may not allow the virus to access other parts of the system, but it still allows messing with the apps memory and spreading online (you likely got it from an app with network permissions in the first place)
could you please share the script? i wanted to do that too but never got around to it.
(it's especially bad when something creates a lot of small files, because Service Executable starts scanning them, and whitelisting processes doesn't seem to do much to deter it)
"Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later."
Slight tangent, strawpoll on what everybody prefers for their Antivirus these days. Corporate and personal. I've been using ESET for years and anecdotally never had any issue.
Haven't used one in years. Windows Defender is good enough for most things. If I suspect my computer might be infected with something, I might run a Malwarebytes Anti-Malware scan, but it's strictly as-needed. I don't have any realtime protection.
Just Defender. Some bozo at work stumbled onto some questionable sites and got whacked with a cryptolocker a few years back, and in response to that, we had to run WebRoot for a while, and that was just awful - it may not be intrinsically terrible, but as configured here, it was centrally administered through as SAAS web app, and configured so that it wouldn't show any UI on users' machines - which ended up meaning that when it would false-flag something benign, it would pop an invisible modal window that locked out the machine for two or three minutes until it timed out. Every time you build a project... And especially excruciating with anything that used NPM and downloaded half the internet, because the real-time scanning would get swamped. Thankfully, after a few months of struggling, we got some exemptions.
You know, I've pretty much stopped using them. Haven't had one installed on a Win machine for a few years.
I take a handful of basic precautions along the lines of closing ports, installing OS updates, having my eMail text only and passive, disabling a few things on the web browser and never downloading/running anything suspicious. It's been good enough that the last time I installed a new Win, a dedicated antivirus didn't even occur to me.
On occasion I'll run a malware finder when I'm seeing odd behaviour and want to be sure, but I can't remember the last time there was a genuine positive find.
I’m pretty much in the same boat here for a few years now.
I believe I ran some Symantec search tool once when things seemed off and was able to install a targeted removal tool by them and remove them afterward.
Same principles with my macs.
Any Linux machine I use tends to be virtual and pretty blackboxed save web, ssh, and ssl ports. (And maybe a port open connected to a database)
I'm using built-in Windows antivirus and never had any problems. I'm usually not running shade executables, so I think that it's adequate protection (I'll check exe with virustotal if I'm not sure about it). Otherwise I'd use Kaspersky, I guess, my Internet provider provides me a free license for it or something like that.
Sophos has pretty solid offerings, their free level of home protection is fairly comprehensive. Windows Defender is adequate though now. I like Malwarebytes, if you just want to run scans without background protection its free.
Stopped using antivirus around 2010, I'm just careful about what I download and haven't had an issue. Since Windows 10 ships with defender I've used that.
There have been stories that other vendors are even worse but it doesn't matter, they should've updated Defender 12 years ago concurrently with IE as they were developing the tech for Vista, because.. Defender has high false negative detection ratio and so is a plan B, hail marry kind of technology - you should do everything so that you don't rely on it working as it works only passably well for a percentage of stale threats. That's why if it and similar software is enabled it should affect your security only additively and should never contribute to attack surface. Instead in an effort to check if a file contains any of months old malware you get pwned by a bug in decompression function for a file that that you didn't even open that just passed your system and so you'd survive the attack if it weren't for the system that tries to help you survive attacks stupidly.
"unless the attacker finds a way to escape the sandbox, which is among the toughest things to do, the system remains safe."
How was that determined xD.... wtf. There have been trivial sandbox escapes for most sandboxes in existence...
stopped reading there >.> pure speculation on how effective this thing will really be in the first paragraph, casts doubt on the accuracy of the rest of the information.
It was determined by design. If the sandbox were trivial to bypass, why have it at all? The sandbox has to meet those conditions or it's a non-starter. And regardless, it would certainly be easier to audit the security of a small component like a sandbox versus the entirety of the Windows Defender application.
I imagine Windows Defender has been and will continue to be (even after this) nation state intelligence agencies' #1 way to get into users' Windows PCs.
I for one haven't trusted Windows Defender in a while, both because I don't trust Microsoft not to be malicious with it (at the very least they've steadily increased the amount and types of telemetry they collect through it) and also because it's such an easy target for all sorts of attackers.
https://bugs.chromium.org/p/project-zero/issues/detail?id=12...
That specific bug and others were of course fixed.
The issue is that such complex code is hard to write well in the language they're using, and running as SYSTEM is just asking for a zero day take over from simply visiting a site with a malicious file or an unread email.
I hope other AV vendors follow suit on the component sandboxing. They're scanning untrusted files, who will happily try to crash or take-over the AV process itself.